Saturday, February 27, 2010

One hundred years ago when I was a judicial clerk at DC Superior Court, the worst docket was divorce court. The parties hated each other. They were nasty to each other. The attorneys were nasty. Everyone would do vindictive things to each other. It was horrible. Nothing was worse.

Oh yeah, there was something worse. Divorce where all the parties are lawyers – a law firm break up. ("Argh! Make that bad people stop!" says the judicial clerk buried in motions and pleadings).

Today's case is the best of both worlds; it involves a married couple engaged in a contentious divorce who also happened to be busting up their firm. Global Policy Partners, Inc. v. Yessin, No. l:09cv859 (EDVa Nov. 24, 2009). The question for the court was: when Defendant decided to log into Plaintiff's email account in order to read Plaintiff's emails to her divorce attorney – did Defendant violate the Computer Fraud and Abuse Act – had he hacked her email account without authority?

The alleged facts of the case are a bit messy; here is a simplified, made-for-TV, version (story has been changed to fit your screen): Plaintiff lived in State A, Defendant lived in State B, they were partners in the ACME firm, and Defendant was the manager of the ACME firm. The Parties were engaged in a contested divorce and dissolution of their firm. Defendant allegedly stumbled upon Plaintiff's email password and used it to access Plaintiff's email at the ACME firm, reading messages between Plaintiff and her divorce attorney. Plaintiff became suspicious and changed her password. Defendant still tried to gain access to Plaintiff's account and even sought the assistance of the Help Desk to gain the new password.

Plaintiff filed suit in federal court. As a part of Plaintiff's complaint, Plaintiff alleges that Defendant violated the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Stored Communications Act – in additional to several state causes of action. Defendant moved to dismiss Plaintiff's complaint for failure to state a cause of action. The question before the court here was not whether Plaintiff wins the case – it's merely should the case go forward: has Plaintiff stated a claim that is plausible, that she could eventually win as a matter of law if she provides sufficient evidence?

As many of the experts in this area of law will tell you, ECPA is a complicated area of law, and this case hits on two big complications: when does a party have authority to access a computer system and when is an email message in transit such that reading the email message is an interception.

This case confused me on several grounds. First, ECPA, CFAA, and SCA normally are talked about as restraints on police power (when do the police get to wiretap your phone), or conversely are laws used by the police to nail a criminal (for instances, the guys in the parking lot of the hardware box store sniffing credit card numbers out of the unencrypted WiFi signal). This case involves a civil cause of action between two civilians – no police involved here at all (oh yeah, goes the dumb guy, the law does restrain the actions of civilians and does provide a private right of action).

The Federal Court proceeded with its analysis by lumping the Computer Fraud and Abuse Act (18 U.S.C. § 1030 (a)) claim with the Stored Communications Act (18 U.S.C. § 2701(a)) claim, and analyzing whether Defendant's access of the Plaintiff's email at ACME was authorized. He was, after all, the manager at ACME. Wouldn't that mean he has authorization to access any of the firm's assets?

It's not so simple says the court. Yes, generically, the manager of a firm ought to have authority to access the firm's computer assets; but some situations merit a further exploration of facts: "authorization to access a computer network is analyzed 'on the basis of the expected norms of intended use.'" The Court notes that the following facts cut against Defendant: Defendant used a password to access an email account that was not his, and Defendant lacked a legitimate business reason to access that account.

Defendant responds that State B law authorizes him, as manager, to act as an agent of the firm for purposes of carrying out the ordinary business of transferring or affecting the firm's real property. To quote the Court: "Really?!?!" The court pointed out that authority to transfer real property is not exactly the same as authority to spy on your wife by hacking into her email to her divorce attorney. The court further pointed out that spying on one's wife is not normally considered "ordinary business." Motion denied.

Therefore, the Court concludes, Plaintiff has alleged sufficient facts to establish a plausible cause of action that Defendant hacked her account without authorization pursuant to the Computer Fraud and Abuse Act and the Store Communications Act (again, not that Plaintiff wins, merely that this cause of action gets to go to trial).

Now here comes the tricky part. The third cause of action is a violation of the Electronic Communications Privacy Act, or, in plain English, did Defendant intercept Plaintiff's email. The begged question is, when is an email in transit such that it can be intercepted, and when is it not. If Defendant read Plaintiff's email before Plaintiff had read it, is that interception? What about after plaintiff read it?

In the words of the Court,

Courts applying the ECPA have consistently held that a qualifying "intercept" occurs only where the acquisition of the communication occurs contemporaneously with its transmission by its sender. Thus, interception includes accessing messages in transient storage on a server during the course of transmission, but does not include accessing the messages stored on a destination server . . . a qualifying "intercept" under the ECPA [] can only occur where an e-mail communication is accessed at some point between the time the communication is sent and the time it is received by the destination server, at which point it becomes a "stored communication" within the meaning of the SCA.

Think of it this way, football fans: can you intercept a passed football after it has been caught? While it's true that you might be able to force a fumble, this aint an interception (even if the result on the scoreboard is the same).

In this case, Plaintiff's emails were sitting on her computer on the ACME network. Defendant had to illicitly use Plaintiff's password to get at them, and after Plaintiff had changed the password, Defendant was closed out. The emails had reached their destination server; thus, Plaintiff had not alleged facts pursuant to which an ECPA claim could be successful. The Court dismissed this cause of action.

Here is another place I got confused. You see, if it were the police that wanted access to this email, the fact that Plaintiff had not opened the email would be relevant. If the email has been unopened for less than 181 days, the police needs a warrant to gain access to it. If the email has been opened or it's been more than 181 days, the police needs a subpoena. 18 U.S.C. § 2703(a) & (b). But all of this is irrelevant as there are no police involved in this scenario. And as the Court notes, all of this falls under the Stored Communications Act – not ECPA.

Let's see what today's lesson is: "Wheel of Morality, turn, turn, turn - Tell us what lesson we should learn." [Whirl, Click, Click, Clock]: Attorneys should not be permitted to marry.

Enabling Off-Hours Public Access to School Networks Spreads Benefit of E-rate at No Cost to Universal Service Fund

Washington D.C. – The Federal Communications Commission today adopted an order that enables schools that receive funding from the E-rate program (more formally, the schools and libraries universal service support program) to allow members of the general public to use the schools' Internet access during non-operating hours. This change attracted broad support in comments received while developing the National Broadband Plan.

This action will leverage universal service funding to serve a larger population at no increased cost to the E-rate program. If a school chooses to allow community access, the general public will be able to use the Internet access already present in schools for purposes such as job searches and applications, digital literacy programs, and online access to governmental services and resources. Increasing community access to the Internet is particularly critical in communities where residential adoption of broadband Internet access has historically lagged, including many rural, minority, and Tribal communities. Libraries already may provide Internet access to their communities using E-rate support. Today's order enables schools to provide similar access to the public.

Currently, Commission rules require schools to certify that they will use E-rate funded services solely for “educational purposes,” defined as activities that are integral, immediate, and proximate to the education of students. As a result, services and facilities purchased by schools using E-rate funding remain largely unused during evenings, weekends, school holidays, and summer breaks. Waiving the relevant rules will maximize the use of facilities and services supported by the E-rate program by giving schools the option to open their E-rate funded facilities to members of the public during non-operating hours.

The waiver of the Commission's rules is effective from adoption of the order through funding year 2010 (which ends June 30, 2011). This waiver is subject to the following conditions: (1) schools participating in the E-rate program are not permitted to request more services than are necessary for “educational purposes”; (2) any community use of E-rate funded services at a school facility is limited to non-operating hours, such as after school hours or during times when the students are out of school; and (3) consistent with the Communications Act, schools may not resell discounted services or network capacity. This order and notice do not permit or require any changes to E-rate applications due on February 19, 2010.

In addition, the Commission adopted a notice of proposed rulemaking, which seeks comment on revising the Commission's rules to make today's change permanent. The Commission also seeks comment on conditions that should be established to guard against potential additional costs being imposed on the E-rate program and to reduce the likelihood of waste, fraud, and abuse.

NIST announces the public comment release of Special Publication (SP) 800-119, Guidelines for the Secure Deployment of IPv6 . IPv6 (Internet Protocol version 6) is the next generation Internet Protocol, accommodating vastly increased address space. This document describes and analyzes IPv6's new and expanded protocols, services, and capabilities, including addressing, DNS, routing, mobility, quality of service, multihoming, and IPsec. For each component, there is a detailed analysis of the differences between IPv4 and IPv6, the security ramifications and any unknown aspects. It characterizes new security threats posed by the transition to IPv6 and provides guidelines on IPv6 deployment, including transition, integration, configuration, and testing. It also addresses more recent significant changes in the approach to IPv6 transition.

TPRC is an annual conference on communication, information and internet policy that convenes international and interdisciplinary practitioners and researchers from academia, industry, government, and nonprofit organizations together with policymakers. The purpose of the conference is to acquaint policymakers with the best of recent research and to familiarize researchers with the knowledge requirements of policymakers and industry. The conference agenda will consist of papers selected from reviewed, submitted abstracts, student papers and selected panel submissions.

TPRC is now soliciting abstracts of papers, panel proposals, and student papers for presentation at the 2010 conference. Proposals should be based on current theoretical or empirical research relevant to communication and information policy, and may be from any disciplinary perspective. TPRC seeks submissions of disciplinary, comparative, multidisciplinary or interdisciplinary excellence. Subject areas of particular interest include, but are not limited to the following: (Click on topic below for topic descriptions. To submit an abstract, please use the submit button at the end of each topic description.)

Submissions are due by March 31, 2010. Abstracts and panel proposals must be submitted electronically at http://www.tprc.org by following the submit button at the end of each topic description. Abstracts are not to exceed 500 words. For paper abstracts, please identify the methods, central ideas, and outcomes (obtained or expected) of the research. Responses will be made by May 15, 2010. Selected papers will be due to TPRC on August,15th 2010 and one author of the paper is expected to present the accepted submission.

Students are encouraged to submit papers for the student paper competition Click Here for Student Papers CFP. Full Student papers must be submitted by April 30, 2010.

We also welcome theme and industry-specific but not vendor-specific panel proposals. These should include the Panel topic, a brief abstract, the name of the Panel Moderator and an initial list of proposed panelists. The Panel proposals should be submitted by March 31, 2010